Random thoughts from the mind, about whatever interests me at the time.

Is open source encryption the answer to NSA snooping?

Network World - When Unisys CISO John Frymier came in to work on Friday, Sept. 6, the phones were ringing, and continued to ring all day.
Customers were panicking over the news headlines of the day before.

Credit: Flickr: Mlcastle

The NSA had cracked Internet encryption.
The NSA was listening in to everything.
European customers were especially concerned, he says.
Fortunately, many of the headlines had been unnecessarily alarmist.
“The earlier types of encryption, with 64 bits or less, the NSA has figured out how to brute force decrypt at least some of
that traffic,” he says. “But the more modern, strong encryption, with 128 or 256 encryption units, they can't decrypt that.
And it bothers them no end.”
Customers can still trust it, he says.
“Modern encryption implemented well is perfectly secure and nobody can crack it,” he says. “Strong encryption is still safe.”
But what exactly does “implemented well” mean? And what about back
doors deliberately installed by the NSA in commercial encryption
software?
According to encryption expert Bruce Schneier, a fellow at Harvard's Berkman Center for Internet and Society, one solution
is to use open source encryption algorithms.
But open source encryption, while publicly vetted by security experts, academics, and a global community of paranoid code
wranglers, has its pitfalls as well. In particular, open source encryption requires a higher level of in-house expertise to
implement, and there may be a shortage of encryption experts to go around. In addition, open source products may not offer
the same level of functionality and support as commercial offerings.
According to Schneier, who had direct access to the leaked NSA documents, the NSA asks vendors to make subtle changes to their
encryption software to make it more vulnerable. For example, a random number generator might not be as random as it should
be. Or the software could leak keys in some undetectable way.
And if the problem is detected, the vendor can explain it away as a mistake, he says.
Though that may be changing.
“Thankfully, companies that colluded with the NSA are being penalized in the marketplace,” says Schneier.
One of his recommendations is to be suspicious of commercial encryption software and to opt for open-source alternatives.
In particular, open-source alternatives that have to be compatible with multiple implementations, since changes to the core
code base have to undergo extra scrutiny to ensure that they don't break compatibility with the various implementations.
Now that there's so much attention focused on the possibility of backdoors sponsored by the NSA, or other players, the level
of attention open source encryption software receives will only increase. Continue reading